Not seeing file/folder delete audit results in Security event log

tracyprier
tracyprier used Ask the Experts™
on
Hi all.

I have enabled auditing for our main shared folder (and its subfolders) to log success events on file or folder deletion however when I check the security log in event viewer it is not reporting any of these even over the last couple of months and there should be a good few of them by now.

Auditing was set as principal: everyone, special permissions of: delete and delete subfolders and files.

Appreciate any help with this
Tracy
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Auditing setup is two-fold, one half at the folder, the other half at secpol.msc ->local policies auditing policy - audit object access.
btanExec Consultant
Distinguished Expert 2018

Commented:
Need to search for event such as 4660 - An object was deleted or 4663 - An attempt was made to access an object.
Audit events are only generated for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
also probably you already may have run the command gpresult /v >C:\gpresult.txt to see the result of group policy
Senior Software Developer
Commented:
What you've done is tell the OS what to audit when auditing is enabled but you haven't told it to enable auditing. Thank you Microsoft!

This article explains it step by step.

http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/securing-auditing-high-risk-files-windows-servers.html

You have to enable auditing by group policy if you're in a domain or local policy if not.
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Distinguished Expert 2018

Commented:
I wonder if anything in my comment was hard to understand.
tracyprierNetwork Administrator

Author

Commented:
Sorrry about that, my bad :(
btanExec Consultant
Distinguished Expert 2018

Commented:
Am also thinking whether our answers are missing any thing or lacking as I see all referring to auditing.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial